Popaya Technologies Private Limited ("Popaya", "we", "our", or "us") is a technology studio based in Mumbai, India. We respect your privacy and handle personal data with care. This policy explains what information we collect when you visit our website or work with us as a partner, how we use it, who we share it with, and what rights you hold over it. It applies to all data subjects regardless of geography — including individuals in the European Economic Area, the United Kingdom, and the United States.
Information We Collect
We collect information in three ways — directly from you when you reach out, automatically through your browser when you use our website, and occasionally from third-party sources you connect.
- Contact and project data — name, email address, company name, phone number, and project brief when you submit our contact form, book a call, or initiate a project engagement.
- Communication records — emails, WhatsApp messages, meeting notes, and project documents exchanged during an engagement or sales process.
- Usage data — IP address, browser type and version, referring URL, pages visited, and session duration, collected automatically when you visit our website.
- Cookie data — session and preference cookies for site functionality, and analytics cookies if you have consented to them. We do not use advertising or tracking cookies.
- Payment and billing data — invoicing details such as company name, billing address, and GST/VAT number. Card or banking details are handled exclusively by our payment processors; we never store them.
How We Use Your Information
We use personal data only for the purposes for which it was collected or for compatible purposes that you would reasonably expect.
- Service delivery — to scope, quote, design, build, and support projects you have engaged us for.
- Communication — to respond to enquiries, schedule calls, send project updates, and issue invoices.
- Website analytics — to understand how visitors use our website so we can improve it. Analytics data is aggregated and does not identify individuals.
- Legal and compliance — to comply with applicable Indian and international laws, court orders, and regulatory obligations.
- Security — to detect, investigate, and prevent fraudulent or unauthorised activity.
We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Legal Basis for Processing
For individuals in the European Economic Area or the United Kingdom, every processing activity rests on one of the following legal bases under GDPR / UK GDPR.
- Contract — processing is necessary to perform a contract with you or to take steps before entering one (e.g. scoping a project, issuing a quote, delivering work).
- Legitimate interests — processing is in our legitimate interests and does not override your rights (e.g. responding to inbound enquiries, operating our website, keeping records of past projects).
- Legal obligation — processing is required to comply with a statutory duty (e.g. retaining financial records for tax purposes).
- Consent — processing is based on freely given, specific, and informed consent (e.g. setting analytics cookies). You may withdraw consent at any time without affecting prior processing.
Data Retention
We retain personal data for as long as necessary to fulfil the purpose for which it was collected, subject to longer retention where required by law.
- Project and engagement records — retained for seven years from project completion to satisfy accounting, tax, and legal obligations under Indian law.
- Contact and enquiry data — retained for two years from last contact if no engagement results; deleted sooner on request.
- Website analytics data — retained for 26 months on a rolling basis.
- Financial and invoicing records — retained for eight years as required by the Companies Act 2013 and Income Tax Act 1961.
When data is no longer required, it is securely deleted or anonymised.
International Data Transfers
Popaya is based in India. Some of our service providers are headquartered or have servers in other countries, which means personal data may be transferred internationally.
For transfers of EEA or UK personal data to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum.
For transfers of personal data originating in India to third-country processors, we apply appropriate contractual safeguards consistent with the Digital Personal Data Protection Act 2023 and its forthcoming rules.
Your Rights & Choices
Depending on your jurisdiction, you may have some or all of the following rights over your personal data. To exercise any of these, contact us at the address in §13.
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
- Restriction — ask us to pause processing your data while a dispute is resolved.
- Portability — receive a structured, machine-readable copy of data you provided to us.
- Objection — object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
- Withdraw consent — where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Lodge a complaint — you have the right to complain to your local data protection authority. Indian residents may contact the Data Protection Board of India once established.
We will respond to verified requests within 30 days, or notify you if we need more time.
Data Security
We apply technical and organisational measures proportionate to the sensitivity of the data and the risks involved.
- Data in transit is encrypted using TLS 1.2 or higher.
- Access to personal data is restricted to personnel who need it to do their jobs, governed by role-based access controls.
- Third-party service providers are assessed for security practices before engagement and bound by contractual obligations.
- In the event of a personal data breach that poses a risk to individuals, we will notify the relevant data protection authority within 72 hours and, where required, inform affected individuals without undue delay.
No system is perfectly secure. If you believe your data has been compromised, please contact us immediately.
Children's Privacy
Our website and services are directed at businesses and professionals. We do not knowingly collect personal data from anyone under the age of 18.
If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has submitted data to us, please notify us at the contact address in §13.
Third-party Links & Services
Our website contains links to third-party websites, platforms, and services — including LinkedIn, GitHub, and WhatsApp. These are provided for convenience; clicking them takes you outside our environment.
We are not responsible for the privacy practices or content of those third-party sites. We encourage you to review their privacy policies before sharing personal data with them.
Updates to This Policy
We may update this policy from time to time. Material changes — those that significantly affect your rights or how we use your data — will be communicated via a notice on our website at least 30 days before taking effect.
The "Last updated" date at the top of this policy reflects the most recent revision. We encourage you to review it periodically. Continued use of our website or services after the effective date of a revision constitutes acceptance of the updated policy.
Contact & Grievance Officer
For questions about this policy, to exercise your rights, or to raise a privacy concern, please reach out to us in writing.
- Email — [email protected]
- Post — Popaya Technologies Private Limited, 204 Malwa, Patanwala Estate, LBS Marg, Ghatkopar (W), Mumbai 400 086, Maharashtra, India.
In accordance with the Information Technology Act 2000 and the rules thereunder, our designated Grievance Officer can be contacted at the address above. We will acknowledge grievances within 24 hours and resolve them within 30 days of receipt.